Method for session workflow information flow analysis

ABSTRACT

Described is a system for session workflow information flow analysis. The system labels a session identification (ID) in a session workflow as high confidentiality, such that the session ID remains only in confidential channels. Non-owner channels and authorization server channels are labeled as public channels. The session ID is type checked with a security type system, and security of the session ID is verified.

CROSS-REFERENCE TO RELATED APPLICATIONS

This is a Non-Provisional patent application of Ser. No. 62/403,811,filed in the United States on Oct. 4, 2016, entitled, “A Method forSession Workflow Information Flow Analysis,” the entirety of which ishereby incorporated by reference.

BACKGROUND OF INVENTION (1) Field of Invention

The present invention relates to a system for session workflowinformation flow analysis and, more particularly, to a system forsession workflow information flow analysis using a static analysistechnique.

(2) Description of Related Art

A workflow is comprised of an orchestrated and repeatable pattern ofbusiness activity that is enabled by the organization of resources intoprocess that transform materials, provide services, and processinformation. Authorization in highly interconnected and interdependentsystems poses a unique set of challenges. Modem systems utilize “API(application programming interface) access delegation” techniques (orsometimes considered more as an architectural style or best practice),such as OAuth (see the List of Incorporated Literature References,Literature Reference No. 2), to enable third party applications toobtain limited access to data and functionality provided by a softwareservice. Such techniques have been shown to be suspect to sessionfixation attacks where the attacker initiates an authorization workflowonly to trick the victim into completing the authentication step for asession with a session identifier (ID) known by the attacker.

A session identifier, or session 1D, is data that is used in networkcommunications (e.g., over hypertext transfer protocol (HTTP)) toidentify a session, which is a series of related message exchanges. Thetypical workarounds for session fixation and similar session ID attacksinclude timing out session IDs, regenerating session IDs on everyrequest, and enforcing logout semantics.

The key problem is the reliance on session IDs to maintain the notion ofstate in an otherwise stateless application protocol (e.g., HTTP). Inone sense, session IDs were originally intended to improve security byenabling applications to keep sensitive information only on the serverinstead of having the client and server exchange that information,leaving only the intrinsically uninteresting session ID to float overthe wire. Unfortunately, session IDs are communicated in requeststhrough cookies or the uniform resource locator (URL), both of which maybe vulnerable to third party disclosure.

Session IDs are only as secure as they are secret. If a victim emails aURL with an embedded session ID to another person then she hascompromised that session. If the session ID is sent in the clear and anattacker sniffs out the session ID that also compromises the session.Most solutions to securing session workflows are either ad hoc or bruteforce. The solutions rely a great deal on developers to carry out bestpractices and failing that, pervasive encryption. None of thesetechniques are fool-proof. Best practices cannot address complexinterleaving and communication patterns. Encryption is only effective inthe case where the attacker has not fixated sessions.

Thus, a continuing need exists for a system that uses a static techniquefor enforcing the security of session-based workflows with explicitsupport for modeling session IDs and attacker processes.

SUMMARY OF THE INVENTION

The present invention relates to a system for session workflowinformation flow analysis and, more particularly, to a system forsession workflow information flow analysis using a static analysistechnique. The system comprises one or more processors and a memoryhaving instructions such that when the instructions are executed, theone or more processors perform multiple operations. The system labels asession identification (ID) in a session workflow as highconfidentiality, such that the session ID remains only in confidentialchannels. Non-owner channels and authorization server channels arelabeled as public channels. The session ID is type checked with asecurity type system, and security of the session ID is verified.

In another aspect, the session workflow is codified in formal semanticsof a computer programming language.

In another aspect, the security type system ensures that the session IDwill not directly or indirectly leak to an attacker.

In another aspect, the session ID can appear in an attacker systemprovided that it remains only in confidential channels, wherein theconfidential channels cannot be directly or indirectly observed by anattacker.

In another aspect, the present invention also comprises a method forcausing a processor to perform the operations described herein andperforming the listed operations.

Finally, in yet another aspect, the present invention also comprises acomputer program product comprising computer-readable instructionsstored on a non-transitory computer-readable medium that are executableby a computer having a processor for causing the processor to performthe operations described herein.

BRIEF DESCRIPTION OF THE DRAWINGS

The objects, features and advantages of the present invention will beapparent from the following detailed descriptions of the various aspectsof the invention in conjunction with reference to the followingdrawings, where:

FIG. 1 is a block diagram depicting the components of a system forsession workflow information flow analysis according to the principlesof the present disclosure;

FIG. 2 is an illustration of a computer program product according to theprinciples of the present disclosure; and

FIG. 3 illustrates a system for session workflow information flowanalysis according to the principles of the present disclosure.

DETAILED DESCRIPTION

The present invention relates to a system for session workflowinformation flow analysis and, more particularly, to a system forsession workflow information flow analysis using a static analysistechnique. The following description is presented to enable one ofordinary skill in the art to make and use the invention and toincorporate it in the context of particular applications. Variousmodifications, as well as a variety of uses in different applicationswill be readily apparent to those skilled in the art, and the generalprinciples defined herein may be applied to a wide range of aspects.Thus, the present invention is not intended to be limited to the aspectspresented, but is to be accorded the widest scope consistent with theprinciples and novel features disclosed herein.

In the following detailed description, numerous specific details are setforth in order to provide a more thorough understanding of the presentinvention. However, it will be apparent to one skilled in the art thatthe present invention may be practiced without necessarily being limitedto these specific details. In other instances, well-known structures anddevices are shown in block diagram form, rather than in detail, in orderto avoid obscuring the present invention.

The reader's attention is directed to all papers and documents which arefiled concurrently with this specification and which are open to publicinspection with this specification, and the contents of all such papersand documents are incorporated herein by reference. All the featuresdisclosed in this specification, (including any accompanying claims,abstract, and drawings) may be replaced by alternative features servingthe same, equivalent or similar purpose, unless expressly statedotherwise. Thus, unless expressly stated otherwise, each featuredisclosed is one example only of a generic series of equivalent orsimilar features.

Furthermore, any element in a claim that does not explicitly state“means for” performing a specified function, or “step for” performing aspecific function, is not to be interpreted as a “means” or “step”clause as specified in 35 U.S.C. Section 112, Paragraph 6. Inparticular, the use of “step of” or “act of” in the claims herein is notintended to invoke the provisions of 35 U.S.C. 112, Paragraph 6.

Please note, if used, the labels left, right, front, back, top, bottom,forward, reverse, clockwise and counter-clockwise have been used forconvenience purposes only and are not intended to imply any particularfixed direction. Instead, they are used to reflect relative locationsand/or directions between various portions of an object. As such, as thepresent invention is changed, the above labels may change theirorientation.

Before describing the invention in detail, first a list of citedliterature references used in the description is provided. Next, adescription of various principal aspects of the present invention isprovided. Finally, specific details of the present invention areprovided to give an understanding of the specific aspects.

(1) LIST OF INCORPORATED LITERATURE REFERENCES

The following references are incorporated and cited throughout thisapplication. For clarity and convenience, the references are listedherein as a central resource for the reader. The following referencesare hereby incorporated by reference as though fully included herein.The references are cited in the application by referring to thecorresponding literature reference number, as follows:

-   1. Chetan Bansal, Karthikeyan Bhargavan, and Sergio Maffeis.    Discovering concrete attacks on website authorization by formal    analysis. In 2012 IEEE 25th Computer Security Foundations Symposium    (CSF), June 2012.-   2. D. Hardt. The OAuth 2.0 authorization framework    draft-ietf-oauth-v2-31. Technical report, July 2012.    http://tools.ietf.org/html/draft-ietf.oauth-v2-31, taken on Aug. 4,    2014.-   3. Naoki Kobayashi. Type-based information flow analysis for the    pi-calculus. Acta Inf., 42(4-5): 291-347, 2005.-   4. Naoki Kobayashi, Benjamin C. Pierce, and David N. Turner.    Linearity and the pi-calculus. In Hans-Juergen Boehm and Guy L.    Steele, Jr., editors, POPL, pages 358-371, ACM Press, 1996, ISBN    0-89791-769-3.-   5. Jonathan Michaux, Elie Najm, and Alessandro Fantechi. Adding    sessions to BPEL. In Josep Silva and Francesco Tiezzi, editors, WW,    volume 98 of EPTCS, pages 60-76, 2012.-   6. Suhas Pai, Yash Sharma, Sunil Kumar, Radhika M Pai, and Sanjay    Singh. Formal Verification of OAuth 2.0 using Alloy Framework. In    Proceedings of the 2011 International Conference on Communication    Systems and Network Technologies, June 2011.-   7. Milner, Robin. Communicating and Mobile Systems: The x-calculus.    Cambridge, UK: Cambridge University Press. ISBN 0-521-65869-1, 1999.

(2) PRINCIPAL ASPECTS

The present invention has three “principal” aspects. The first is asystem for session workflow information flow analysis. The system istypically in the form of a computer system operating software or in theform of a “hard-coded” instruction set. This system may be incorporatedinto a wide variety of devices that provide different functionalities,such as a robot or other device. The second principal aspect is amethod, typically in the form of software, operated using a dataprocessing system (computer). The third principal aspect is a computerprogram product. The computer program product generally representscomputer-readable instructions stored on a non-transitorycomputer-readable medium such as an optical storage device, e.g., acompact disc (CD) or digital versatile disc (DVD), or a magnetic storagedevice such as a floppy disk or magnetic tape. Other, non-limitingexamples of computer-readable media include hard disks, read-only memory(ROM), and flash-type memories. These aspects will be described in moredetail below.

A block diagram depicting an example of a system (i.e., computer system100) of the present invention is provided in FIG. 1. The computer system100 is configured to perform calculations, processes, operations, and/orfunctions associated with a program or algorithm. In one aspect, certainprocesses and steps discussed herein are realized as a series ofinstructions (e.g., software program) that reside within computerreadable memory units and are executed by one or more processors of thecomputer system 100. When executed, the instructions cause the computersystem 100 to perform specific actions and exhibit specific behavior,such as described herein.

The computer system 100 may include an address/data bus 102 that isconfigured to communicate information. Additionally, one or more dataprocessing units, such as a processor 104 (or processors), are coupledwith the address/data bus 102. The processor 104 is configured toprocess information and instructions. In an aspect, the processor 104 isa microprocessor. Alternatively, the processor 104 may be a differenttype of processor such as a parallel processor, or a field programmablegate array.

The computer system 100 is configured to utilize one or more datastorage units. The computer system 100 may include a volatile memoryunit 106 (e.g., random access memory (“RAM”), static RAM, dynamic RAM,etc.) coupled with the address/data bus 102, wherein a volatile memoryunit 106 is configured to store information and instructions for theprocessor 104. The computer system 100 further may include anon-volatile memory unit 108 (e.g., read-only memory (“ROM”),programmable ROM (“PROM”), erasable programmable ROM (“EPROM”),electrically erasable programmable ROM “EEPROM”), flash memory, etc.)coupled with the address/data bus 102, wherein the non-volatile memoryunit 108 is configured to store static information and instructions forthe processor 104. Alternatively, the computer system 100 may executeinstructions retrieved from an online data storage unit such as in“Cloud” computing. In an aspect, the computer system 100 also mayinclude one or more interfaces, such as an interface 110, coupled withthe address/data bus 102. The one or more interfaces are configured toenable the computer system 100 to interface with other electronicdevices and computer systems. The communication interfaces implementedby the one or more interfaces may include wireline (e.g., serial cables,modems, network adaptors, etc.) and/or wireless (e.g., wireless modems,wireless network adaptors, etc.) communication technology.

In one aspect, the computer system 100 may include an input device 112coupled with the address/data bus 102, wherein the input device 112 isconfigured to communicate information and command selections to theprocessor 100. In accordance with one aspect, the input device 112 is analphanumeric input device, such as a keyboard, that may includealphanumeric and/or function keys. Alternatively, the input device 112may be an input device other than an alphanumeric input device. In anaspect, the computer system 100 may include a cursor control device 114coupled with the address/data bus 102, wherein the cursor control device114 is configured to communicate user input information and/or commandselections to the processor 100. In an aspect, the cursor control device114 is implemented using a device such as a mouse, a track-ball, atrack-pad, an optical tracking device, or a touch screen. The foregoingnotwithstanding, in an aspect, the cursor control device 114 is directedand/or activated via input from the input device 112, such as inresponse to the use of special keys and key sequence commands associatedwith the input device 112. In an alternative aspect, the cursor controldevice 114 is configured to be directed or guided by voice commands.

In an aspect, the computer system 100 further may include one or moreoptional computer usable data storage devices, such as a storage device116, coupled with the address/data bus 102. The storage device 116 isconfigured to store information and/or computer executable instructions.In one aspect, the storage device 116 is a storage device such as amagnetic or optical disk drive (e.g., hard disk drive (“HDD”), floppydiskette, compact disk read only memory (“CD-ROM”), digital versatiledisk (“DVD”)). Pursuant to one aspect, a display device 118 is coupledwith the address/data bus 102, wherein the display device 118 isconfigured to display video and/or graphics. In an aspect, the displaydevice 118 may include a cathode ray tube (“CRT”), liquid crystaldisplay (“LCD”), field emission display (“FED”), plasma display, or anyother display device suitable for displaying video and/or graphic imagesand alphanumeric characters recognizable to a user.

The computer system 100 presented herein is an example computingenvironment in accordance with an aspect. However, the non-limitingexample of the computer system 100 is not strictly limited to being acomputer system. For example, an aspect provides that the computersystem 100 represents a type of data processing analysis that may beused in accordance with various aspects described herein. Moreover,other computing systems may also be implemented. Indeed, the spirit andscope of the present technology is not limited to any single dataprocessing environment. Thus, in an aspect, one or more operations ofvarious aspects of the present technology are controlled or implementedusing computer-executable instructions, such as program modules, beingexecuted by a computer. In one implementation, such program modulesinclude routines, programs, objects, components and/or data structuresthat are configured to perform particular tasks or implement particularabstract data types. In addition, an aspect provides that one or moreaspects of the present technology are implemented by utilizing one ormore distributed computing environments, such as where tasks areperformed by remote processing devices that are linked through acommunications network, or such as where various program modules arelocated in both local and remote computer-storage media includingmemory-storage devices.

An illustrative diagram of a computer program product (i.e., storagedevice) embodying the present invention is depicted in FIG. 2. Thecomputer program product is depicted as floppy disk 200 or an opticaldisk 202 such as a CD or DVD. However, as mentioned previously, thecomputer program product generally represents computer-readableinstructions stored on any compatible non-transitory computer-readablemedium. The term “instructions” as used with respect to this inventiongenerally indicates a set of operations to be performed on a computer,and may represent pieces of a whole program or individual, separable,software modules. Non-limiting examples of “instruction” includecomputer program code (source or object code) and “hard-coded”electronics (i.e. computer operations coded into a computer chip). The“instruction” is stored on any non-transitory computer-readable medium,such as in the memory of a computer or on a floppy disk, a CD-ROM, and aflash drive. In either event, the instructions are encoded on anon-transitory computer-readable medium.

(3) SPECIFIC DETAILS OF THE INVENTION

(3.1) Session Authorization Workflows

Authorization in highly interconnected and interdependent systems posesa unique set of challenges. Modern systems utilize “API (applicationprogramming interface) access delegation” techniques (or sometimesconsidered more as an architectural style or best practice), such asOAuth (see Literature Reference No. 2), to enable third partyapplications to obtain limited access to data and functionality providedby a software service. Such techniques have been shown to be subject tosession fixation attacks, where the attacker initiates an authorizationworkflow only to trick the victim into completing the authenticationstep for a session with a session identifier (D) known by the attacker.

The key problem is the reliance on session IDs to maintain the notion ofstate in an otherwise stateless application protocol (e.g., hyper-texttransfer protocol (HTTP)). In one sense, session IDs were originallyintended to improve security by enabling applications to keep sensitiveinformation only on the server instead of having the client and serverexchange that information, leaving only the intrinsically uninterestingsession ID to float over the wire. Unfortunately, session IDs arecommunicated in requests through cookies or the uniform resource locator(URL), both of which may be vulnerable to third party disclosure.

Session IDs are only as secure as they are secret. If a victim emails aURL with an embedded session ID to another person, then he or she hascompromised that session. If the session ID is sent in the clear and anattacker ascertains the session ID, which also compromises the session.

(3.1.1) Session Authorization

The challenge from the system designer's point-of-view is the need toensure that sessions and associated session IDs do not persist beyondtheir usefulness and do not become disassociated with the owner of thesession. A representative example of a desired lifecycle of a sessioncan be summarized as follows:

-   -   1. Initiate authentication.    -   2. Check credentials.    -   3. Issue session ID and create session.    -   4. Destroy session after a timeout, logout, or completion of an        authorized action.

The above session lifecycle denotes a kind of session workflow. Eachsession can terminate via time-out, logout, or completion of anauthorized action. These session lifecycle steps can be further chainedto obtain richer behaviors. For example, consider the following twoscenarios:

-   -   1. After a time-out, the program can generate a new        authentication request.    -   2. After the completion of a task, the program can generate a        new session ID to support a subsequent request.

The system according to the principles of the present disclosurecodifies the session lifecycle in a formal semantics that enablesautomatic checking of the security of session management functionalityin programs (e.g., any program that uses session ids, such as a programimplementing a web service). The formal semantics provides a formaldefinition of what the session lifecycle should be. Formal semantics ofa programming language is the mathematical definition of the meaning ofall the programming language constructs.

(3.1.2) Third Party Application Programming Interface (API)Authorization

The OAuth protocol (see Literature Reference No. 2) use case describesthe interaction of four parties including a resource server that storesprivate data; an authorization server which issues an access token (anaccess token contains the security credentials for a login session andidentifies the user, the user's groups, the user's privileges, and, insome cases, a particular application); a resource owner that has logincredentials for the private data on the resource server; and a clientthat needs to have limited access to the private data on the resourceserver to perform an action on behalf of the resource owner. UsingFacebook™ authentication to log into an unrelated website is anon-limiting example utilizing a protocol similar to OAuth 2.0. In thisexample, the client is a user with an internet browser, the resourceserver is any web server that wants to authenticate the user, andFacebook™ is the authentication server. The OAuth 2.0 draft standarddescribed in Literature Reference No. 2 enumerates four forms of accessgrants: authorization code; implicit; resource owner passwordcredentials; and client credentials.

(3.1.3) Process Calculus Representation

The stateless protocol for modeling the session lifecycle can berepresented as an applied typed π-calculus, a process calculus (i.e., afundamental language for representing concurrent computations such as inthe case with client/server communications). The π-calculus isconsidered a fundamental proto-language for the message-passing model ofconcurrency, thus capable of modeling distributed computing, networkcomputing, and host-based concurrency. π-calculus is described inLiterature Reference No. 7.

Kobayashi developed a security-typed variant of the π-calculus (seeLiterature Reference No. 3) where the calculus admitted syntax-directedtype inference. The work built upon prior attempts at devising aninformation analysis for a process calculi primarily by relaxing therestrictions on communication patterns. Early attempts made draconianrestrictions on what a process could do subsequent to receiving on asecret channel.

For the purposes of this disclosure, a channel is any communicationchannel used by the program to communicate with outside entities. As anon-limiting example, in the case of a web service, any HTTP connectionwould be a communication channel.

The process syntax is defined as follows:P::=0| x

₁ , . . . , v _(n)

P|x(y ₁ , . . . y _(n))·P|(P|Q)|*P|(vx:ξ)PAbove is a standard form for defining grammar of programming languagesdenoting that process (P) can take any of the forms described below. Itis a simplified form of “Definition 2” described in detail in LiteratureReference No. 3.

The 0 is the null process which serves as a terminator for an enclosingprocess. The x

v₁, . . . , v_(n)

. P is an n-ary output prefix denoting a process that outputs n-arytuple y₁, . . . , y_(n) over the channel x and then executes P.Similarly, the input prefix x(y₁, . . . , y_(n)). P denotes a processthat receives an n-ary tuple y₁ . . . , y_(n) over the channel x andthen executes P. The parallel construct (P|Q) executes the two processesconcurrently. The replication process *P makes an arbitrary number ofcopies of the process P and executes them concurrently. The new process(vx:ξ)P generates a fresh channel name x with the expectation that thetype of values communicated over it must be of channel type ξ. Channeltypes are types labeled with a security level (e.g., int^(H)).

A sequence of input and output prefixes in the calculus corresponds tothe notion of a request. Typically, a client initiates a request, aserver receives it and responds with the results, and the clientreceives the response. This sequence of events defines a request. Thesession workflows can be encoded as programs in this calculus.

Session IDs are generated by authenticated workflows. This behavior canbe modeled as a primitive authenticate. On the client side, a primitivereceiveID can be a channel for an input prefix that receives a freshsession ID. Enforcing session IDs with limited lifetime based on thecompletion of an authorized action requires scoping of that action. Insuch a case, session IDs can be considered a lexically scoped blockvariable that is deallocated upon reaching the end of the lexical block.

The problem of securing the session ID has garnered considerableattention from many facets of industry and academia. There are a numberof approaches to remediating the deficiencies of session management, butnone of the existing solutions are perfect. With respect to the need forpreventing session ID disclosure through third party sniffing forsession IDs being passed in the clear, encryption at the transport layergoes quite a way toward addressing that need. Unfortunately, such anapproach does not address session fixation vulnerabilities or host-basedattacks. Association of sessions with a single, fixed Internet protocol(IP) address is impractical due to the prevalence of network addresstranslation (NAT) in Internet systems. Furthermore, modern applicationshave begun to move away from the conventional request/response model ofcommunication to a more fluid asynchronous model.

(3.2) A Language and Semantics for Session Workflows

Let s, c, γ, i, query and response denote the server channel, clientchannel, client credential, and session ID, client query, and serverresponse, respectively. A non-limiting example of a typical sessionworkflow from the perspective of the client, represented in Kobayashi'sapplied variant of the polyadic π-calculus, is as follows:s

γ

·s(i)· s

i,query

·s(response).From the server, the exchange is slightly more involved due to the logicfor checking the credentials and creating the new session and is asfollows:c(γ)·if valid(γ)then(v _(i):int^(H)) c

i

·c(i′,query)·if i=i′then c

response

·0 else 0 else 0,where valid(γ) denotes the server's check for the validity of the clientcredentials.

The above server program takes no special care to manage the lifetime ofthe session ID. Instead, the session ID naturally expires according tothe scope of the v operator (that is, the fresh name-binding operator ofthe w-calculus (see Literature Reference No. 7 for a description of thefresh name-binding operator)). Unfortunately, this property is notsufficient to ensure that the lifetime of the session ID is correct. Theproblem is more apparent if the client, server, and a third process arecomposed using the parallel-operator (see Literature Reference No. 7).According to the semantics of the π-calculus, P|(Q|R)≡(P|Q)R (defined inLiterature Reference No. 7), hence the expected semantics cannot dependon a particular interleaving of the three processes. In particular, ifthe third process also expects to receive the session ID from the serveron channel s, then it could hijack the session.

Let c′ be the attacker's channel to the client, respectively. Let a bethe server's channel to the attacker. Various forms of attacks on thesession workflow can be expressed in the applied π-calculus as follows:s

·s(i)· c ′

i

·P.where P is the reminder of the attack process.The above sequence is the attacker's process. It begins by initiating asession with the server by sending an empty message (which can beunderstood as a GET request (i.e., a request for data from a specifiedresource). The attacker receives a response with the session ID i forhis new session. The attacker now redirects the victim to authenticatethat session to the victim's own credentials. When the attacker reachesP, he has full control of an authenticated session with session ID iaccording to the following:a(i)· s

i,γ

·0.By authenticating session i with the victim's own credentials, thevictim has handed the attacker a session where the attacker is free todo anything with the victim's identity and privileges for the durationof that one session. In this representation, the client receives thesession ID and authenticates session i using real credentials. Inpractice, the step connecting the receipt of the fixed session ID fromthe attacker and authenticating is mediated by some innocuous-lookingfront for the attacker. In particular, if the attacker can get thevictim onto a webpage controlled by the attacker, then this redirectionis simple. The generation of the session ID is, as usual, handled by theserver. In the process calculus, this can be modeled with thev-operator, which generates fresh names.

There are two ways to view the session ID security problem. The resourceserver, owner, and potential client would like to keep the session IDconfidential from an attacker. Alternatively, the resource server cantreat session IDs as high or low integrity depending on the source.

(3.3) Session ID Security as an Information Flow Property

The critical property in session management is that a non-owner will notbe able to gain access to an active session ID. The session ID in thiscase can be considered a confidential variable in a process calculusrepresentation of the session management protocol. All attacker channelsare considered public (i.e., the opposite of confidential). Thus, thesession ID security question can be reframed as an information flownoninterference one where it is required that the confidential sessionID never falls into a public channel. In terms of information flow, thismeans the value of the session ID should never interfere or make adifference to the result of public results from attacker computations.Notice that this property is more precise than prohibiting the sessionID from leaking out, as is prevented by transport-layer encryption. Thisproperty permits the session ID to appear in the attacker system as longas it remains only in confidential channels which cannot be directly orindirectly observed by the attacker. This concept is a natural match forthe third party authorization problem where a third party, the client,must have access to a session ID, but not in a way that it can befurther disclosed or abused.

As illustrated in FIG. 3, the main steps for verifying the security ofthe session ID 300 include:

-   -   1. Label the session ID as high confidentiality 302.    -   2. Label non-owner and authorization server channels as public        304. A non-owner channel is any channel used to communicated        with entities other than the session over. An authorization        server channel is a channel used to communicate with the        authorization channel. Assigning a label means that the analysis        process associates the label with the channel (e.g., by        maintaining a lookup table of all associations established so        far). An authorization server should not be provided with a        session id; only the user should get it.    -   3. Type check with a security type system 306.        Steps 1 (element 302) and 2 (element 304) above are essentially        preparation steps for analysis, and step 3 (element 306) is the        main analysis step.

(3.4) Type System

To protect the confidentiality of the session 1, a security type systemis used. The type system enables step 3 above. In the security typesystem, the main high value would be the session ID. The public (i.e.,low confidentiality) channels include all channels except for thoseinvolved in authentication and authorization, principally the resourceowner and authorization server channels. The type checker traverses theprogram to ensure that the session ID will not directly or indirectly(via control flow) leak to the attacker or any third party observing theclient, resource owner, and other actors (or parties). Below is anon-limiting example of a simple, restrictive version of a security typesystem for the π-calculus following and simplifying the Kobayashi typesystem (see Literature Reference No. 3).

ℓ : : = ξLH ϕ; pc ⊢ 0$\frac{\Gamma;{{pc} \vdash P}}{\Gamma;{{pc} \vdash {*P}}}$$\frac{{\Gamma\left\lbrack x\mapsto\xi \right\rbrack};{{pc} \vdash P}}{\Gamma;{{pc} \vdash {\left( {{vx}:\xi} \right)P}}}$$\frac{\Gamma_{1};{{pc} \vdash {P_{1}\mspace{14mu}\Gamma_{2}}};{{pc} \vdash P_{2}}}{\Gamma_{1}{{\Gamma_{2};{{pc} \vdash P_{1}}}}P_{2}}$$\frac{{{\Gamma\left\lbrack x\mapsto\left\langle \tau \right\rangle^{l_{1}} \right\rbrack}\left\lbrack y\leftrightarrow\tau \right\rbrack};{l_{2} \vdash {{P\mspace{14mu}{pc}} \sqsubseteq l_{1}\underset{¯}{\sqsubseteq}l_{2}}}}{{\Gamma\left\lbrack x\mapsto\left\langle \tau \right\rangle^{l_{1}} \right\rbrack};{{pc} \vdash {{x(y)}.P}}}$$\frac{{\Gamma\left\lbrack x\mapsto\left\langle \tau \right\rangle^{l_{1}} \right\rbrack};{l_{2} \vdash P}}{\Gamma;{{pc} \vdash {\overset{\_}{x}{\left\langle v \right\rangle.P}}}}$

In the above type system, the judgments are of the form Γ;pc

P, where Γ is the type environment, pc is the program context securitylevel (i.e., the security level of the control), and P is the π-calculusprocess to be checked. The type environment is a sequence of bindings ofthe form [x

r], where x is the channel name (string) and r is the correspondingchannel type. The 0 rule type checks the 0 process under all typeenvironments. The *P rule recursively type checks the replicated processP under the same type environment context and program context pc. Thetype checking rule for the scope restriction operator (vx:ξ)P adds afresh variable to the environment.

The process of managing the state of a web-based client is through theuse of session IDs. Session IDs are used by the application to uniquelyidentify a client browser, while background (server-side) processes areused to associate the session ID with a level of access. Session IDs areoften used to identify a user that has logged into a website, they canbe used by an adversary to hijack the session and obtain potentialprivileges.

The invention described herein can be utilized in many client-serverapplications, both customer- and internal-facing applications, whichrely on session management to maintain identities in workflows. Forexample, a company's internal and customer solutions may includeorganizational management capabilities which require session-enabledidentification and authentication for nearly all workflows. The systemdescribed herein can be used to prevent adversaries from gaining accessto certain private levels of a website, thus maintaining security of thewebsite.

Finally, while this invention has been described in terms of severalembodiments, one of ordinary skill in the art will readily recognizethat the invention may have other applications in other environments. Itshould be noted that many embodiments and implementations are possible.Further, the following claims are in no way intended to limit the scopeof the present invention to the specific embodiments described above. Inaddition, any recitation of “means for” is intended to evoke ameans-plus-function reading of an element and a claim, whereas, anyelements that do not specifically use the recitation “means for”, arenot intended to be read as means-plus-function elements, even if theclaim otherwise includes the word “means”. Further, while particularmethod steps have been recited in a particular order, the method stepsmay occur in any desired order and fall within the scope of the presentinvention.

What is claimed is:
 1. A system for session workflow information flowanalysis, the system comprising: one or more processors and anon-transitory computer-readable medium having executable instructionsencoded thereon such that when executed, the one or more processorsperform operations of: verifying security of a session identification(ID), comprising: assigning a label to the session ID in a sessionworkflow according to a level of high confidentiality, such that thesession ID remains only in confidential channels, wherein the session IDis a confidential variable in a process calculus representation of asession management protocol; assigning labels to non-owner channels andauthorization server channels according to a level of lowconfidentiality, such that the non-owner channels and authorizationserver channels are labeled as public channels; and type checking thesession ID with a type system for information flow analysis; andprotecting confidentiality of the session ID using the type system forinformation flow analysis.
 2. The system as set forth in claim 1,wherein the one or more processors further perform an operation ofcodifying a session lifecycle in a formal semantics that enablesautomatic checking of session management functionality in any programthat uses the session ID, wherein the formal semantics is a mathematicaldefinition of programming language constructs.
 3. The system as setforth in claim 2, wherein a type checker ensures that the session IDwill not directly or indirectly leak to an attacker.
 4. The system asset forth in claim 1, wherein the session ID can appear in an attackersystem provided that it remains only in confidential channels, whereinthe confidential channels cannot be directly or indirectly observed byan attacker.
 5. A computer-implemented method for session workflowinformation flow analysis, the computer-implemented method using one ormore processors to perform operations of: verifying security of asession identification (ID), comprising: assigning a label to thesession ID in a session workflow according to a level of highconfidentiality, such that the session ID remains only in confidentialchannels, wherein the session ID is a confidential variable in a processcalculus representation of a session management protocol; assigninglabels to non-owner channels and authorization server channels accordingto a level of low confidentiality, such that the non-owner channels andauthorization server channels are labeled as public channels; and typechecking the session ID with a type system for information flowanalysis; and protecting confidentiality of the session ID using thetype system for information flow analysis.
 6. The method as set forth inclaim 5, wherein the one or more processors further perform an operationof codifying a session lifecycle in a formal semantics that enablesautomatic checking of session management functionality in any programthat uses the session ID, wherein the formal semantics is a mathematicaldefinition of programming language constructs.
 7. The method as setforth in claim 6, wherein a type checker ensures that the session IDwill not directly or indirectly leak to an attacker.
 8. The method asset forth in claim 5, wherein the session ID can appear in an attackersystem provided that it remains only in confidential channels, whereinthe confidential channels cannot be directly or indirectly observed byan attacker.
 9. A non-transitory computer readable medium for sessionworkflow information analysis, having stored thereon, computer-readableinstructions that when executed by a processor, cause the processor toperform operations comprising: verifying security of a sessionidentification (ID), comprising: assigning a label to the session ID ina session workflow according to a level of high confidentiality, suchthat the session ID remains only in confidential channels, wherein thesession ID is a confidential variable in a process calculusrepresentation of a session management protocol; assigning labels tonon-owner channels and authorization server channels according to alevel of low confidentiality, such that the non-owner channels andauthorization server channels are labeled as public channels; and typechecking the session ID with a type system for information flowanalysis; and protecting confidentiality of the session ID using thetype system for information flow analysis.
 10. The computer programproduct as set forth in claim 9, further comprising computer readableinstructions to cause the processor to codify a session lifecycle in aformal semantics that enables automatic checking of session managementfunctionality in any program that uses the session ID, wherein theformal semantics is a mathematical definition of programming languageconstructs.
 11. The computer program product as set forth in claim 10,further comprising computer readable instructions to cause a typechecker to ensure that the session ID will not directly or indirectlyleak to an attacker.
 12. The computer program product as set forth inclaim 9, wherein the session ID can appear in an attacker systemprovided that it remains only in confidential channels, wherein theconfidential channels cannot be directly or indirectly observed by anattacker.